[darkehawke]

Whatsapp is a vulnerable IM service compared to BBM.

Android is VULNERABLE compared to Blackberry. There are more VULNERABILITES on the android platform. Its just like comparing whatsapp to BBM. Whatsapp is horrible.

Vulnerable.

if managed properly, those vulnerabilities you speak off are about as bad as blackberry vulnerability.

No platform is 100% secure.

I dont get it, there's double standards to the arguments. whatsapp is insecure, android is insecure. blackberry is secure.
but if you use whatsapp on blackberry, you're insecure? surely that just points out it's the app that is providing the vulnerabilities, so if you manage your apps properly on Android you cut out those vulnerabilities?

[qbnkelt]

Whatsapp is a vulnerable IM service compared to BBM.

Android is VULNERABLE compared to Blackberry. There are more VULNERABILITES on the android platform. Its just like comparing whatsapp to BBM. Whatsapp is horrible.

Vulnerable.

Agreed
Agreed
Agreed
Subjective statement

Now.....

Judicious and informed use mitigates those vulnerabilities

Irresponsible use of a BB renders a BB vulnerable

There is no impenetrable platform

......and the beat goes on......the beat goes on.....






What I find really hilarious is the absolute refusal to acknowledge that a BB can be made vulnerable through improper use.....

You would have so much more credence if you would step down from the white tower and simply say.....yes, it's true....no platform is impenetrable....

I would actually have respect for your position if there were even a hint of reason behind it instead of fierce close minded fundamentalist dogma.

[belfastdispatcher]

Yes but that isn't necessarily terribly surprising. They don't have the resources (and possibly the technical sophistication) of western governments or even, perhaps (and only for example) central or eastern European criminal networks.

I bet casual inspection of the messages on the server by people authorized to view them such as rim employers of BIS messages would be the most frequent breach of security though. Just speculating though.

Sent from my Droid DNA

Wild speculating if you ask me, I've seen the NOC, there's not that many people working there lol, there's no "casual inspection" when a couple billion messages a day flow trough it.

[belfastdispatcher]

So let me get this right, a BlackBerry can be as insecure as Android but an Android will never be secure enough to bank on it, Q wouldn't, she does it on a BlackBerry.

So if I want just one device(not 2 or 3 or 4) that I could do banking on it what does that leave me with?

According to Q that will be a BlackBerry, no matter how much she likes Android.

[anon62607]

if managed properly, those vulnerabilities you speak off are about as bad as blackberry vulnerability.

No platform is 100% secure.

I dont get it, there's double standards to the arguments. whatsapp is insecure, android is insecure. blackberry is secure.
but if you use whatsapp on blackberry, you're insecure? surely that just points out it's the app that is providing the vulnerabilities, so if you manage your apps properly on Android you cut out those vulnerabilities?

There are several possible openings to attack any platform. Getting right down to it, someone may kidnap you and force you to turn over your password by threat of violence and you might be willing to comply. There are cryptosystems designed to defeat that situation, such as TrueCrypt with separate keys for two different sets of data on a disk. There is no way to distinguish the crypted data from random data and you have the first key to unlock most of the data and the second to unlock the most secure data. Probably most people won't have to worry about this kind of situation.

The second opening is by someone who has access to the stream of data coming from your phone. This could be a cellphone company, one of the upstream providers of a cellphone company, anyone who is listening in on the channel itself (possibly) or someone with a subpoena ordering the cellphone company to turn over or record your data stream. In this case, properly implemented encryption will protect you fairly well. This is the complaint I have with WhatsApp, or at least how WhatsApp's security is currently described (by third parties) as. The data is encrypted with a symmetric key that is communicated in an insecure way to the server. Anyone with the ability to listen in on the channel can recover that key and use it to decrypt the messages just as easily as the legitimate receiver and this seems to be an exceptionally naive way of encryption a communication stream given how much research has gone into secure key exchange. This is very weak on the part of WhatsApp and if true gives the impression that they don't know what they're doing - once again, if that is true. BlackBerry Messenger does not have this problem.

The third opening is by someone who has access to the server that is handling the messages - this could be an employee of the company that is handling the messages or some other observer. It seems that both WhatsApp and BBM on BIS have this vulnerability. The way to plug that hole is that a message should not exist in unencrypted form except on the transmitting and receiving UE and the message server directly passes the encrypted (cypher text) messages through itself. Key exchange, in addition, needs to be done in a secure way. Some desktop chat clients do this kind of thing (OTR over some Jabber clients, for example) and in some cases even allow for use of one-time pads. If you can communicate a one time pad in a secure way (meet and physical in person exchange for example), do not reuse the one time pad, and those one time pads only exist on the sending and receiving UE, there's no way to attack the message stream itself except perhaps by some kind of message length analysis. The only way to get at the message data is to recover the one time pad somehow.

My ideal mobile messaging client would offer all of this, perhaps a plug in system that would allow for the use of one time pads between some devices, or allow the use of public key crypted messages to other types of devices, or allow the use of a symmetric cypher that you exchange in person physically or through NFC, or optionally through DH key exchange over an otherwise insecure channel, and then keep going down the stack of security to offer even completely plaintext messages. (the problem with one time pads is you are limited in how many messages you can send by the length of the one time pad and how random the one time pad data actually is - so you'd want less secure but infinite length options to send photographs, for example).

The real question is how determined an attacker do you think might be after your data and how much do you want to protect it. Completely plaintext messages transmitted over coffee shop wifi can be sniffed out of the air almost casually. Whatsapp is a step above that, it would take more than a few minutes to set up an attack to recover data being sent by WhatsApp, but probably not more than a few hours or days for a determined, experienced attacker. BlackBerry Messenger is considerably more difficult than that, at least raising itself to the level of government agency or trusted-employee gaining the ability to get access to the data. I'd like an option for something even more secure, but for the most part WhatsApp is fine. I don't particularly care that people might know I'm meeting friends for dinner at 6, though it would be annoying that someone could just casually snoop that message traffic. WhatsApp does make it harder for casual snooping, which is an ok level of security for most people.

[reeneebob]

I

So basically would you ever recommend an Android device to a person that can only afford (or only needs/wants) one device considering banking is out of the question??

I don't consider banking out of the question. I've banked for years on BB, iPhone and Android without a qualm and will continue to do so. I do with all of them the one step of turning off wifi first. In all the years I've owned a smartphone I've never had an issue.

As a side note, these childish alts the trolls are using to stalk members here speak more to the BB fan base than the Android one, and they aren't making them look good. It must be quiet at other boards, or they feel the need to bully. It's really pathetic. How long until the IP bans start?

I had to get the red SGS3...garnet is my birthstone! Excuses sent via Tapatalk 2

[belfastdispatcher]

There are several possible openings to attack any platform. Getting right down to it, someone may kidnap you and force you to turn over your password by threat of violence and you might be willing to comply. There are cryptosystems designed to defeat that situation, such as TrueCrypt with separate keys for two different sets of data on a disk. There is no way to distinguish the crypted data from random data and you have the first key to unlock most of the data and the second to unlock the most secure data. Probably most people won't have to worry about this kind of situation.

The second opening is by someone who has access to the stream of data coming from your phone. This could be a cellphone company, one of the upstream providers of a cellphone company, anyone who is listening in on the channel itself (possibly) or someone with a subpoena ordering the cellphone company to turn over or record your data stream. In this case, properly implemented encryption will protect you fairly well. This is the complaint I have with WhatsApp, or at least how WhatsApp's security is currently described (by third parties) as. The data is encrypted with a symmetric key that is communicated in an insecure way to the server. Anyone with the ability to listen in on the channel can recover that key and use it to decrypt the messages just as easily as the legitimate receiver and this seems to be an exceptionally naive way of encryption a communication stream given how much research has gone into secure key exchange. This is very weak on the part of WhatsApp and if true gives the impression that they don't know what they're doing - once again, if that is true. BlackBerry Messenger does not have this problem.

The third opening is by someone who has access to the server that is handling the messages - this could be an employee of the company that is handling the messages or some other observer. It seems that both WhatsApp and BBM on BIS have this vulnerability. The way to plug that hole is that a message should not exist in unencrypted form except on the transmitting and receiving UE and the message server directly passes the encrypted (cypher text) messages through itself. Key exchange, in addition, needs to be done in a secure way. Some desktop chat clients do this kind of thing (OTR over some Jabber clients, for example) and in some cases even allow for use of one-time pads. If you can communicate a one time pad in a secure way (meet and physical in person exchange for example), do not reuse the one time pad, and those one time pads only exist on the sending and receiving UE, there's no way to attack the message stream itself except perhaps by some kind of message length analysis. The only way to get at the message data is to recover the one time pad somehow.

My ideal mobile messaging client would offer all of this, perhaps a plug in system that would allow for the use of one time pads between some devices, or allow the use of public key crypted messages to other types of devices, or allow the use of a symmetric cypher that you exchange in person physically or through NFC, or optionally through DH key exchange over an otherwise insecure channel, and then keep going down the stack of security to offer even completely plaintext messages. (the problem with one time pads is you are limited in how many messages you can send by the length of the one time pad and how random the one time pad data actually is - so you'd want less secure but infinite length options to send photographs, for example).

The real question is how determined an attacker do you think might be after your data and how much do you want to protect it. Completely plaintext messages transmitted over coffee shop wifi can be sniffed out of the air almost casually. Whatsapp is a step above that, it would take more than a few minutes to set up an attack to recover data being sent by WhatsApp, but probably not more than a few hours or days for a determined, experienced attacker. BlackBerry Messenger is considerably more difficult than that, at least raising itself to the level of government agency or trusted-employee gaining the ability to get access to the data. I'd like an option for something even more secure, but for the most part WhatsApp is fine. I don't particularly care that people might know I'm meeting friends for dinner at 6, though it would be annoying that someone could just casually snoop that message traffic. WhatsApp does make it harder for casual snooping, which is an ok level of security for most people.

On the other hand Whatsapp does warn you you are using their services at your own risk in T&C, not exactly confidence inspiring is it?

As for BBM even the UK police cannot monitor it in real time as revealed in the London riots times.

[anon62607]

On the other hand Whatsapp does warn you you are using their services at your own risk in T&C, not exactly confidence inspiring is it?

As for BBM even the UK police cannot monitor it in real time as revealed in the London riots times.

And that's a good sign, but I would like something I know to be even more secure than that. Still, I would much rather have BBMs security than WhatsApp, but I would rather have WhatsApp's ubiquity.

[qbnkelt]

I don't consider banking out of the question. I've banked for years on BB, iPhone and Android without a qualm and will continue to do so. I do with all of them the one step of turning off wifi first. In all the years I've owned a smartphone I've never had an issue.

As a side note, these childish alts the trolls are using to stalk members here speak more to the BB fan base than the Android one, and they aren't making them look good. It must be quiet at other boards, or they feel the need to bully. It's really pathetic.

I had to get the red SGS3...garnet is my birthstone! Excuses sent via Tapatalk 2

Yup.....it doesn't speak well......but hey, think of the attention we're getting....think how much power we've got for it that it would take the time to create a new account every twenty minutes to stalk us.....then think of the sad, pathetic, troll whose energies are going to this....I might actually start to feel sorry for it....

trolling in defence of a phone......

[anon62607]

On the other hand Whatsapp does warn you you are using their services at your own risk in T&C, not exactly confidence inspiring is it?

As for BBM even the UK police cannot monitor it in real time as revealed in the London riots times.

Now that I've read a little about BBM and the London Riots, it looks like the UK police did not have the technical sophistication or manpower to do that kind of monitoring (even twitter seemingly was more or less unmonitored though the level of effort to recover twitter messages is fairly low), so that anecdote might not really mean anything. Also trying to monitor a large group of people to find a subset of those that might be talking about a specific kind of activity is a different task than "watch what Bob Smith is talking about".

There is a danger here of beating the topic to death more than it already is, but in general the take away is Yes, BBM is much more secure (in the way a bank vault is more secure than a screen door) than WhatsApp but that probably doesn't make up for the fact that WhatsApp is on many different platforms. Also, I can imagine that at some point WhatsApp will get serious about security and fix their problems which takes a lot of the advantage of BBM away. BBM should stay ahead of the game and add even more levels of security and multiple platform support.

[anon62607]

And since my knowledge of BBM is very outdated I have a few questions in general for the group about BBM:

* Can anonymous messages be sent to an individual or to a group?
* How large can groups be?
* Can you anonymously subscribe to a group?
* Can you generate "throw away" PINs or block a user from sending you messages?
* How large can messages be?
One I think that was already answered was:
* Is it possible to send a message to all users in a geographic area, or the closest n number of users (e.g., message the closest 1000 people to ask if it's snowing where they are, as a totally random example, or if anyone is available to give you a ride somewhere). I think this would be kind of neat to have as a feature, as long as you had the ability to turn off those messages.

[anon62607]

On the other hand Whatsapp does warn you you are using their services at your own risk in T&C, not exactly confidence inspiring is it?

As for BBM even the UK police cannot monitor it in real time as revealed in the London riots times.

and now reading even more about the London Riots I came across this quote:
In the words of Crackberry.com, “although PIN-to-PIN messages are encrypted using Triple-DES, the key used is a global cryptographic 'key' that is common to every BlackBerry device all over the world". “This means any BlackBerry device can potentially decrypt all PIN-to-PIN messages sent by any other BlackBerry device, if the messages can be intercepted and the destination PIN spoofed.”

Uh - that takes a lot of the advantage away. PIN to PIN messages are encrypted with a single symmetric key that is common to every blackberry in the world? Unless I'm not understanding this correctly, that seems to mean that there's almost no value in the encryption at all. If you can intercept the message and that message isn't encrypted by a asymmetric session key, and moreover is a key the whole world must be aware of, what is the point?

Can someone explain exactly how BBM encryption works?

edit: it looks like this article: http://dawn.com/2012/02/22/is-blackb...saging-secure/ reinforces that.

(quoted) However, it should be understood that if you are not using BES, you should not consider PIN-to-PIN messages as ‘secure’ and/or encrypted. The messages are only scrambled to the point where a normal third party cannot view them.

No kidding. This is basically exactly the same level of security that WhatsApp has. You just have to go to a different but also easily available place to get ahold of the symmetric key.

Someone please tell me that these articles are wrong and I am not correctly understanding how the PIN to PIN encryption is being applied for BIS communications with BBM?

[web99]

I for one hopes that WhatsApp comes to BB10. It is one of the most downloaded apps right now on ios, android and BB and there are many out there on who use it. If it is not there at launch, it will not affect my decision to get a BB10, but for many, it not being there is a dealbreaker.

[anon62607]

Now I'm starting to think that BBM though BIS is slightly less secure than whatsapp in that since BBM over BIS uses the same key worldwide for all messages, you don't need to have captured the key exchange to be able to decrypt the messages between server and blackberry whereas you must have captured the key exchange part of a whatsapp conversation to decrypt it.

Calling BBM encrypted in the context of this conversation in comparison to the "just awful" whatsapp seems to be disingenuous. Naive and non technical users (such as myself which is quite obvious given the credit I was giving to BBM security earlier in the thread) can be easily mislead into thinking that BBM is secure, or given the relative derision shown to whatsapp I was lead to believe that BBM was much better. Shouldn't we as a community in general be a little more balanced and forthright when discussing this? Why didn't someone bring up the fact that BBM pin to pin communications are all encrypted with the same key?

Sent from my Droid DNA

[qbnkelt]

And since my knowledge of BBM is very outdated I have a few questions in general for the group about BBM:

* Can anonymous messages be sent to an individual or to a group? No
* How large can groups be? 50 (i think)
* Can you anonymously subscribe to a group? no, must be invited
* Can you generate "throw away" PINs or block a user from sending you messages? device PIN # cannot be changed, users can be blocked. i blocked one person on this very thread
* How large can messages be? don't know
One I think that was already answered was:
* Is it possible to send a message to all users in a geographic area, or the closest n number of users (e.g., message the closest 1000 people to ask if it's snowing where they are, as a totally random example, or if anyone is available to give you a ride somewhere). I think this would be kind of neat to have as a feature, as long as you had the ability to turn off those messages.

[qbnkelt]

Now I'm starting to think that BBM though BIS is slightly less secure than whatsapp in that since BBM over BIS uses the same key worldwide for all messages, you don't need to have captured the key exchange to be able to decrypt the messages between server and blackberry whereas you must have captured the key exchange part of a whatsapp conversation to decrypt it.

Calling BBM encrypted in the context of this conversation in comparison to the "just awful" whatsapp seems to be disingenuous. Naive and non technical users (such as myself which is quite obvious given the credit I was giving to BBM security earlier in the thread) can be easily mislead into thinking that BBM is secure, or given the relative derision shown to whatsapp I was lead to believe that BBM was much better. Shouldn't we as a community in general be a little more balanced and forthright when discussing this? Why didn't someone bring up the fact that BBM pin to pin communications are all encrypted with the same key?

Sent from my Droid DNA

Most reasonable people are. Rabid fanbois are not.

[qbnkelt]

and now reading even more about the London Riots I came across this quote:
In the words of Crackberry.com, “although PIN-to-PIN messages are encrypted using Triple-DES, the key used is a global cryptographic 'key' that is common to every BlackBerry device all over the world". “This means any BlackBerry device can potentially decrypt all PIN-to-PIN messages sent by any other BlackBerry device, if the messages can be intercepted and the destination PIN spoofed.”

Uh - that takes a lot of the advantage away. PIN to PIN messages are encrypted with a single symmetric key that is common to every blackberry in the world? Unless I'm not understanding this correctly, that seems to mean that there's almost no value in the encryption at all. If you can intercept the message and that message isn't encrypted by a asymmetric session key, and moreover is a key the whole world must be aware of, what is the point?

Can someone explain exactly how BBM encryption works?

edit: it looks like this article: Is BlackBerry messaging secure? | Sci-Tech | DAWN.COM reinforces that.

(quoted) However, it should be understood that if you are not using BES, you should not consider PIN-to-PIN messages as ‘secure’ and/or encrypted. The messages are only scrambled to the point where a normal third party cannot view them.

No kidding. This is basically exactly the same level of security that WhatsApp has. You just have to go to a different but also easily available place to get ahold of the symmetric key.

Someone please tell me that these articles are wrong and I am not correctly understanding how the PIN to PIN encryption is being applied for BIS communications with BBM?

i think you need SITHAPPRENTICE or BRANTA for a good, nondogmatic response to this.

[lnichols]

And that's a good sign, but I would like something I know to be even more secure than that. Still, I would much rather have BBMs security than WhatsApp, but I would rather have WhatsApp's ubiquity.

Setup your own BES and have your phone go through it. Then you are in complete control of the encryption between the handset and the BES. Of course that will only apply to other devices connected to your BES that you are communicating with. RIM has to make BBM traffic via the BIS accessible, with the use of a warrant, to law enforcement due to laws like CALEA. You could probably write your own peer-to-peer type app using the cryptographic API's in BB10 and add messaging to it.

[anon62607]

Setup your own BES and have your phone go through it. Then you are in complete control of the encryption between the handset and the BES. Of course that will only apply to other devices connected to your BES that you are communicating with. RIM has to make BBM traffic via the BIS accessible, with the use of a warrant, to law enforcement due to laws like CALEA. You could probably write your own peer-to-peer type app using the cryptographic API's in BB10 and add messaging to it.

I was just about to comment that BES seems to have it's own problems. First that while you do create a different key from the global BIS key, that key is still common across all devices in the enterprise. While the key can be changed and a new key pushed (how is that key pushed, by the way? Is secure key exchange used there at least) to all of the devices when a device is compromised, if the key can be recovered from the compromised device it can be used then to decrypt all of the messages sent to any of the devices while that key was in use (presuming all of the message traffic was recorded). It is a bit better than the BIS situation, but not hugely better.

You could increase security by rolling keys very frequently, but this still doesn't have a real "encrypted" feel.

[jafrul]

prompted to upgrade my whatsapp...
and hey.. the new upgrade (which was pushed yesterday, i think) is much less laggy...
group message is smoother and broadcasting made easy with the last few upgrades...
thanks whatsapp...
messaging to my clients has made it much more easier now..

Sent from my unsliding slider BlackBerry 9800 using Tapatalk

[hornlovah]

I was just about to comment that BES seems to have it's own problems. First that while you do create a different key from the global BIS key, that key is still common across all devices in the enterprise. While the key can be changed and a new key pushed (how is that key pushed, by the way? Is secure key exchange used there at least) to all of the devices when a device is compromised, if the key can be recovered from the compromised device it can be used then to decrypt all of the messages sent to any of the devices while that key was in use (presuming all of the message traffic was recorded). It is a bit better than the BIS situation, but not hugely better.

You could increase security by rolling keys very frequently, but this still doesn't have a real "encrypted" feel.

BES allows you to use S/MIME or PGP to extend message security. The following is an older BlackBerry technical document, but it answers your questions on pages 22-24 (PDF link): BlackBerry Enterprise Server for MDS Applications Version: 4.1 | Service Pack: 7 Feature and Technical Overview. After reviewing the Wikipedia pages for Pretty Good Privacy (PGP), S/MIME, and Public-key cryptography, you shoud experience that "real encrypted" feeling.

[anon62607]

BES allows you to use S/MIME or PGP to extend message security. The following is an older BlackBerry technical document, but it answers your questions on pages 22-24 (PDF link): BlackBerry Enterprise Server for MDS Applications Version: 4.1 | Service Pack: 7 Feature and Technical Overview. After reviewing the Wikipedia pages for Pretty Good Privacy (PGP), S/MIME, and Public-key cryptography, you shoud experience that "real encrypted" feeling.

I'm fairly familiar with PGP in that I did use PGP for a few years for mail. I know the basics of public key cryptography from a cryptography oriented math class in college (we would attack very short keys by hand, etc) - which is good - S/MIME could be implemented fairly easily on WhatsApp and I would expect that would be the next step they would do.

Anyway, so, with that information, BES *if* configured with PGP and *if* you are only communicating with devices on your own enterprise is getting close to a comfortable level of security. It would be nice if that were BBM-on-BIS wide and configured by default on BES as well. As it stands now, if you are using BBM on BIS you should in no way expect your messages to be any more secure (and really, slightly less secure) than via WhatsApp, would you agree?

[anon62607]

BES allows you to use S/MIME or PGP to extend message security. The following is an older BlackBerry technical document, but it answers your questions on pages 22-24 (PDF link): BlackBerry Enterprise Server for MDS Applications Version: 4.1 | Service Pack: 7 Feature and Technical Overview. After reviewing the Wikipedia pages for Pretty Good Privacy (PGP), S/MIME, and Public-key cryptography, you shoud experience that "real encrypted" feeling.

Since PGP seems to be add-on available and does provide for exactly what I was talking about earlier (sender-to-recipient encryption) is it possible for anyone who wants (even over BIS) to add on that package, enable it, and send messages with that enabled?

[belfastdispatcher]

I was just about to comment that BES seems to have it's own problems. First that while you do create a different key from the global BIS key, that key is still common across all devices in the enterprise. While the key can be changed and a new key pushed (how is that key pushed, by the way? Is secure key exchange used there at least) to all of the devices when a device is compromised, if the key can be recovered from the compromised device it can be used then to decrypt all of the messages sent to any of the devices while that key was in use (presuming all of the message traffic was recorded). It is a bit better than the BIS situation, but not hugely better.

You could increase security by rolling keys very frequently, but this still doesn't have a real "encrypted" feel.

Right, I thought you were serious until you started questioning even the security of BES.

[anon62607]

Right, I thought you were serious until you started questioning even the security of BES.

BES in the default configuration doesn't seem to be particularly secure. It does seem like it can be configured to be reasonably secure. However, I know very little about it and that's why I am asking how the encryption system is applied, how key exchange is accomplished, and so on.